Garante per la protezione dei dati personali (Italy) - 9592011

From GDPRhub
Garante per la protezione dei dati personali (Italy) - 9592011
LogoIT.png
Authority: Garante per la protezione dei dati personali (Italy)
Jurisdiction: Italy
Relevant Law: Article 28(3)(g) GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Decided: 01.06.2021
Published:
Fine: None
Parties: n/a
National Case Number/Name: 9592011
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Italian
Original Source: GPDP (in IT)
Initial Contributor: n/a

The Italian DPA ordered Associazione Rousseau, the owner of a digital platform for participatory democracy, to give “Movimento 5 Stelle,” a populist political group, access to the personal data of all its members. The DPA clarified that under Article 28(3)(g) GDPR, a processor must return all data to a controller that no longer wants to use its services.

English Summary[edit | edit source]

Facts[edit | edit source]

Movimento 5 Stelle (M5S) is a populist political group. Because it is not recognized as a political party under Italian law, it organized its almost 200,000 certified members on the M5S digital platform. The digital platform, owned by Associazione Rousseau, is designed to enable participatory democracy. M5S members used the site to vote on budgetary and leadership decisions, for example. After a political fallout between the leaders of Movimento 5 Stelle (M5S) and the Associazione Rousseau, M5S decided to stop using the Rousseau platform. Thereafter, two members of M5S asked Associazione Rousseau to delete their data, but Associazione Rousseau refused to do so. M5S objected and submitted a complaint to the Italian DPA.

M5S claimed that it is the data controller of the M5S digital platform, and that Associazione Rousseau, as the data processor, must comply with Article 28 GDPR by returning all personal data to the data controller. MS5 requested that Associazione Rousseau comply by making the domains of the 'movimento5stelle.it' and 'tirendiconto.it' websites available to M5S and by refraining from any form of processing that is not necessary for the fulfilment of their legal obligations.

M5S further demanded that that Associazione Rousseau return the personal data of all M5S members, explain the methods and security requirements it had for collecting and storing data on M5S members, and explain the precise technical procedures it will use for transferring the data in question.


Dispute[edit | edit source]

Associazione Rousseau contends that it is not a data processor M5S digital platform, but merely the owner.

Holding[edit | edit source]

The DPA ascertained, based on the documentation provided by M5S, that the Associazione Rousseau does indeed fulfil the role of data processor - even if in certain situations it is an autonomous data processor - and that M5S is the data controller for all purposes.

Pursuant to Article 58(2)(d) of the GDPR, the DPA ordered Associazione Rousseau to comply with the provisions of Article 28(3)(g) of the GDPR by ensuring that all the personal data of the M5S members are given to Movimento 5 Stelle (M5S). The DPA, moreover, granted a maximum period of five days to comply with the injunction.


Comment[edit | edit source]

Share your comments here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Italian original. Please refer to the Italian original for more details.














SEE ALSO PRESS RELEASE OF 1 JUNE 2021

[doc. web n. 9592011]

Provision of 1 June 2021

Record of measures
n. 223 of 1 June 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, "concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95 / 46 / EC (general regulation on data protection) "(hereinafter," Regulation ");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN art. 154, paragraph 1, lett. f) and g) of the Code;

GIVEN the report submitted to the Guarantor pursuant to art. 144 of the Code on 12 May 2021 (as integrated on 19 May 2021), with which the Movimento 5 Stelle Association (hereinafter, "Movimento" or "Movimento 5 Stelle"), in the person of its pro-tempore legal representative Vito Claudio Crimi, represented and defended by Avv. Francesco Cardarelli, following the warning with which he notified the Rousseau Association, responsible for the processing of the data of the members of the Movement, the delivery of the data referring to the members of the Movement itself, the immediate availability of the domains of the "Movimento5stelle .it "and" tirendiconto.it ", as well as" pending, to refrain from any form of treatment that is not necessary for the fulfillment of legal obligations ", asked the Authority to intervene in the exercise of the corrective powers of referred to in art. 58, par. 2, lett. d) of the Regulations;

GIVEN the note of May 14, 2021 with which Dr. XX, as data protection officer of the 5 Star Movement and of the Rousseau Association, in noting that it has received requests for the transfer of the personal data of the members of the Movement "by two natural persons who both declare that they have the legitimacy to carry out this request ", asked Dr. Vito Crimi to know, "prior to the start of any data processing activity (...) what are the policies adopted regarding the protection of personal data, including the attribution of responsibilities to all the figures involved, in order to duly consider the risks inherent to the processing and relating to the specific nature, scope of application, context and purposes of the same ";

GIVEN the note dated 17 May 2021 with which the 5 Star Movement, in referring - in relation to the profile of legal representation - to a pro veritate opinion of notary XX produced in the annex, stated that "given the openly conflicting situation between the owner of the treatment (5 Star Movement) and responsible (Rousseau Association) ", it was necessary to notify the aforementioned responsible for the immediate delivery of the data of the members" to protect the rights of the Movement as well as the legitimate interests and rights of the members themselves "; this, in accordance with the provisions of art. 28, par. 3, lett. g) of the Regulation according to which "at the choice of the data controller", the person in charge is required to cancel or return all personal data and to arrange for the cancellation of existing copies when the provision of the services relating to the treatment is terminated, "unless the law of the Union or of the Member States provides for the retention of data "; in the same note, the Movement, in stating that it has appointed new subjects as data processors (Corporate Advisor srl, Isa srl and Notary in Rome dott. XX), also illustrated precise technical methods of transferring the data in question (release of a forensic copy on two encrypted media, in the presence of the Movement's technical forensic consultant and delivery directly to the owner or his delegate; the encryption key of the media must be delivered directly to the owner via an encrypted communication channel) as well as the methods and requirements of security security for the keeping and conservation of the data (as per annex C) and D) to the note);

GIVEN the note dated 19 May 2021 with which the Data Protection Officer, in reiterating that he had received the same request for the transfer of data from two natural persons who both declare themselves legitimate and that "to date there is no neither of the two subjects a termination of the same request ", expressed doubts regarding the guarantees illustrated in the note of 17 May 2021 and asked" to know, through the appointments implemented and the instructions given to the subjects who will intervene pursuant to art. 28 of the GDPR in the data processing activities, the assessments carried out towards them regarding their ability to guarantee a level of security appropriate to the risk ";

GIVEN the note sent on the same date by the Movimento 5 Stelle to supplement the report of 12 May 2021, with which, in reiterating that as regards the alleged lack of legitimacy, the considerations contained in the aforementioned pro veritate opinion apply, highlighted that, in the case brought to the attention of the Authority, there are "evident violations of the provisions of the Regulation attributable to the Data Processor", with particular reference to:

a) non-compliance with the provisions of art. 28, par. 3, lett. g) of the Regulation which provides for the Responsible to return all data, "at the choice of the data controller", "without any condition, limitation or exception of any kind, pertinent to any opposition to a patrimonial sphere not contemplated by the provisions Euro-unit reference and completely unrelated to the knowledge of the Supervisory Authority referred to here for the sole purpose of complying with the provisions of the EU Regulation ";

b) failure to comply with the instructions given by the data controller, as the Rousseau Association, following the notice of 12 May last, would have put in place a further processing of the data of the members through the massive sending "of reminder emails to the elected representatives of the Movimento (email not solicited or authorized by the Movimento 5 Stelle), requesting the payment of contributions and artfully using an e-mail address attributable to the Movimento (audit@movimento5stelle.it) ";

c) likewise, the Rousseau Association would have put in place a further processing of the data of the members because, using the domain of the Movement, it would have sent the members themselves an email with which they were invited to contact the Data Protection Officer to request the transfer of their data from the 5 Star Movement Association to the Rousseau Association "which from that moment can also become an independent data controller";

GIVEN the note of 20 May 2021 with which the Rousseau Association declared that until the completion of the procedure initiated before the Authority "it will abstain - as it has so far abstained - from carrying out any activity that can be qualified as processing of the data of the interested parties with respect to which it is designated as "Data Processor, limiting itself solely to the activities concerning the treatments necessary to guarantee the essential services requested by the interested parties";

HAVING REGARD to the notes of 24 and 27 May 2021 with which the Authority invited the Rousseau Association to provide information and clarifications regarding the assertions made by the 5 Star Movement in the note of 19 May this year. regarding the processing of data of members and elected representatives (see above letters b) and c)), as well as with regard to the existence of any deed and / or document concerning the designation of the Rousseau Association as data processor, subsequent to the '' deed of appointment conferred by Giuseppe Grillo on 25 April 2016 and already in the acts of the Authority;

GIVEN the note of 27 May 2021 with which the Rousseau Association, in providing feedback to the requests made by the Authority, as well as some preliminary considerations concerning the profile of the capacity and legitimacy of Mr. Vito Crimi to act "as a person to whom would, at present, be attributed the legal representation of the Movement "(according to a pro veritate opinion drawn up by Dr. XX notary in Rome, appointed at the same time as data processor) and, consequently, as the data controller in relations with the Rousseau Association , stated that:

1) as to the alleged violation of the provisions of art. 28, par. 3, lett. g) of the Regulations, the Rousseau Association "has not refused to adhere to the owner's requests, rather setting the theme (...) of wanting to receive and adhere to instructions given by a person who actually has the ability to express the will of the owner Association some data"; furthermore, "art. 28, par. 3 indeed cited provides that "[the treatments by a manager are governed by a contract or other legal act pursuant to the law of the Union or of the Member States that binds the data controller to the data controller and stipulates the matter governed and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the data controller] "and that said contract (which the Associazione Movimento 5 Stelle has not product) may provide, inter alia, as provided therein sub lett. g); consequently, art. 28, par. 3, lett. g) does not establish a principle directly applicable if not transfused into a contract or other legal act under the law of the Union or of the Member States ";

2) in relation to the alleged massive sending of e-mails to the elected representatives for the payment of contributions, in addition to "not being true" that the e-mail address audit@movimento5stelle.it is attributable to the Movement, according to the statutory rules (which refer to a specific regulation) the Rousseau Association has the right to receive a contribution from the elected representatives (national and European parliamentarians and regional councilors) "for which it provides a series of services, rendered through the use of different platforms functional for the purpose, including the so-called "Tirendiconto" platform "; it follows that "the communication sent on May 12, 2021, does not constitute data processing activities carried out as data processing manager of the Movimento 5 Stelle, but as an independent owner within the" Tirendiconto "service that the Association Rousseau distributes to individual parliamentarians and / or regional councilors of the 5 Star Movement "; in fact, it "is by no means unique, since it is a periodic email that is sent every month as part of the relationship between the owner of the Rousseau Association and the interested parties (...); it is also specified that the domain https://www.movimento5stelle.it/ (and therefore the related email domain connected) is owned by the Rousseau Association and not by the Movement (...) ";

3) as for the sending of emails with which members would be invited to contact the DPO asking for the transfer of data to the Rousseau Association, the latter stated that "no email was sent of the same content as the one referred to in the request for clarification ";

4) with reference, finally, to the possible existence of a contract or other document governing the relationship between the owner and manager, the Rousseau Association has declared that, only following any feedback that will eventually be provided by the owner of the treatment, "a complete reply is reserved";

CONSIDERING that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor";

CONSIDERING that, at the state of the documentation, also acquired by the Authority during a previous investigation involving the same subjects, the Movimento 5 Stelle and the Rousseau Association are respectively the owner and manager of the processing of personal data of the members of the Movement (as per the designation deed by Giuseppe Grillo on 25.4.2016);

NOTING that on the occasion of the access request made by Mr. Vito Crimi pursuant to law no. 241/1990 to the documentation relating to the file concerning the violation of the information systems of the so-called Rousseau platform, the Authority deemed it necessary to allow the same access instantly, even as a senior member of the Guarantee Committee pursuant to art. 7, lett. d) of the Statute of the 5 Star Movement Association;

NOTING that, in the light of the declarations made during this proceeding, the Rousseau Association has confirmed that it holds the role of data controller and that it holds the personal data of the members of the Movimento 5 Stelle as data processor and, in party, also as independent data controller;

NOTING, also, of the declarations made by the Rousseau Association in response to the request for clarification formulated by the Authority, both in relation to the processing of the data of members and elected representatives that would have been put in place in violation of the instructions given by the data controller through the relative domains; noted in particular that, in the light of what has been declared, there are no profiles of illegality of the treatments themselves;

NOTING that according to art. 28, par. 3, lett. g) of the Regulations, the data controller, "at the choice of the data controller", is required to cancel or return all personal data "after the provision of the services relating to the treatment has been completed" and to provide for the cancellation of existing copies " unless the law of the Union or of the Member States provides for the retention of data "; considering that the aforementioned provision must be applied even where the regulatory act of the owner / manager relationship does not expressly provide for it or, as in the case in question, is previous on the date of entry into force of the Regulations (as per the deed of designation of the Rousseau Association as data controller of 25 April 2016); this in order to protect - when a conflictual relationship between the parties arises - the interests of the owner of the treatment and, in particular, of the interested parties who over the years have given their data to the Movimento 5 Stell and on the basis of the information provided by the same;

CONSIDERING that, since it is an undisputed circumstance that the Movement is the data controller, it is therefore undisputed that, in this capacity, it has the right to dispose of the personal data of the members to use them, limited to the pursuit of its purposes. Such data, therefore, can be used for the pursuit of the only institutional purposes of the Movement for which such data have been conferred to it;

CONSIDERING therefore that, with reference to the request for the delivery of personal data of members of the Movement, the conditions are met for a corrective action by the Authority pursuant to art. 58. par. 2, lett. d) of the Regulations; therefore deemed it necessary to order the Rousseau Association to provide, as data processor, to implement the provisions of art. 28, par. 3, lett. g) by delivery to the 5 Star Movement, in the forms and in the manner indicated by the owner himself, of all personal data of the members of the Movement, for which the Association is responsible, within 5 (five) days of receipt of this provision; this without prejudice to the further processing of personal data of those members with respect to whom the Rousseau Association is at the same time independent data controller. Pending delivery to the Movement of the data in question, Associazione Rousseau must refrain from any further processing of the data, except for explicit, specific requests of the Movement;

CONSIDERING The need to adopt an urgent measure regarding the processing of the data in question and that these reasons do not currently allow the Board of the Guarantor to be convened in good time;

CONSIDERING that the conditions for the application of art. 5, paragraph 8, of Regulation no. 1/2000 on the organization and functioning of the Guarantor's office, in the part in which it is foreseen that "In cases of particular urgency and non-postponement that do not allow the convocation of the Guarantor in good time, the president can adopt the measures of competence of the body, which cease to be effective from the moment of their adoption if they are not ratified by the Guarantor at the first meeting, to be convened no later than the thirtieth day "(in www.gpdp.it, web doc. n. 1098801) ;

Having seen the documentation in deeds;

WHEREAS, THE GUARANTOR:

a) pursuant to art. 58, par. 2, lett. d) of the Regulations orders the Rousseau Association, responsible for processing the data of the 5 Star Movement members, to comply with the provisions of art. 28, par. 3, lett. g) of the Regulations by providing to the aforementioned Data Controller Movement, in the forms and in the manner indicated by the same, all personal data of the members of the same Movement, of which the Association is responsible for the processing; it is also ordered to refrain from any further processing of the personal data in question under the terms set out in the motivation;

b) the aforementioned delivery must take place within 5 (five) days from the date of receipt of this provision.

Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree n. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, 1 June 2021

PRESIDENT
Stanzione









   function printDiv (divIdToPrint, title)
    {
var divToPrint = document.getElementById (divIdToPrint);
var newWin = window.open ('', 'Print-Window');
newWin.document.open ();
newWin.document.write ('<html> <body onload = "window.print ()"> <img style = "width: 100%;" src = "/ o / guarante-privacy-theme / images / topdoc.gif "/> <h2 class =" internal-title "> '+ title +' </h2> '+ divToPrint.innerHTML +' </body> </html> ');
newWin.document.close ();
setTimeout (function () {newWin.close ();}, 10);
  }




SEE ALSO PRESS RELEASE OF 1 JUNE 2021

[doc. web n. 9592011]

Provision of 1 June 2021

Record of measures
n. 223 of 1 June 2021

THE GUARANTOR FOR THE PROTECTION OF PERSONAL DATA

GIVEN the Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27 April 2016, "concerning the protection of individuals with regard to the processing of personal data, as well as the free circulation of such data and which repeals Directive 95 / 46 / EC (general regulation on data protection) "(hereinafter," Regulation ");

GIVEN the Code regarding the protection of personal data, containing provisions for the adaptation of the national system to Regulation (EU) 2016/679 (Legislative Decree 30 June 2003, n.196, as amended by Legislative Decree 10 August 2018, no. 101, hereinafter the "Code");

GIVEN art. 154, paragraph 1, lett. f) and g) of the Code;

GIVEN the report submitted to the Guarantor pursuant to art. 144 of the Code on 12 May 2021 (as integrated on 19 May 2021), with which the Movimento 5 Stelle Association (hereinafter, "Movimento" or "Movimento 5 Stelle"), in the person of its pro-tempore legal representative Vito Claudio Crimi, represented and defended by Avv. Francesco Cardarelli, following the warning with which he notified the Rousseau Association, responsible for the processing of the data of the members of the Movement, the delivery of the data referring to the members of the Movement itself, the immediate availability of the domains of the "Movimento5stelle .it "and" tirendiconto.it ", as well as" pending, to refrain from any form of treatment that is not necessary for the fulfillment of legal obligations ", asked the Authority to intervene in the exercise of the corrective powers of referred to in art. 58, par. 2, lett. d) of the Regulations;

GIVEN the note of May 14, 2021 with which Dr. XX, as data protection officer of the 5 Star Movement and of the Rousseau Association, in noting that it has received requests for the transfer of the personal data of the members of the Movement "by two natural persons who both declare that they have the legitimacy to carry out this request ", asked Dr. Vito Crimi to know, "prior to the start of any data processing activity (...) what are the policies adopted regarding the protection of personal data, including the attribution of responsibilities to all the figures involved, in order to duly consider the risks inherent to the processing and relating to the specific nature, scope of application, context and purposes of the same ";

GIVEN the note dated 17 May 2021 with which the 5 Star Movement, in referring - in relation to the profile of legal representation - to a pro veritate opinion of notary XX produced in the annex, stated that "given the openly conflicting situation between the owner of the treatment (5 Star Movement) and responsible (Rousseau Association) ", it was necessary to notify the aforementioned responsible for the immediate delivery of the data of the members" to protect the rights of the Movement as well as the legitimate interests and rights of the members themselves "; this, in accordance with the provisions of art. 28, par. 3, lett. g) of the Regulation according to which "at the choice of the data controller", the person in charge is required to cancel or return all personal data and to arrange for the cancellation of existing copies when the provision of the services relating to the treatment is terminated, "unless the law of the Union or of the Member States provides for the retention of data "; in the same note, the Movement, in stating that it has appointed new subjects as data processors (Corporate Advisor srl, Isa srl and Notary in Rome dott. XX), also illustrated precise technical methods of transferring the data in question (release of a forensic copy on two encrypted media, in the presence of the Movement's technical forensic consultant and delivery directly to the owner or his delegate; the encryption key of the media must be delivered directly to the owner via an encrypted communication channel) as well as the methods and requirements of security security for the keeping and conservation of the data (as per annex C) and D) to the note);

GIVEN the note dated 19 May 2021 with which the Data Protection Officer, in reiterating that he had received the same request for the transfer of data from two natural persons who both declare themselves legitimate and that "to date there is no neither of the two subjects a termination of the same request ", expressed doubts regarding the guarantees illustrated in the note of 17 May 2021 and asked" to know, through the appointments implemented and the instructions given to the subjects who will intervene pursuant to art. 28 of the GDPR in the data processing activities, the assessments carried out towards them regarding their ability to guarantee a level of security appropriate to the risk ";

GIVEN the note sent on the same date by the Movimento 5 Stelle to supplement the report of 12 May 2021, with which, in reiterating that as regards the alleged lack of legitimacy, the considerations contained in the aforementioned pro veritate opinion apply, highlighted that, in the case brought to the attention of the Authority, there are "evident violations of the provisions of the Regulation attributable to the Data Processor", with particular reference to:

a) non-compliance with the provisions of art. 28, par. 3, lett. g) of the Regulation which provides for the Responsible to return all data, "at the choice of the data controller", "without any condition, limitation or exception of any kind, pertinent to any opposition to a patrimonial sphere not contemplated by the provisions Euro-unit reference and completely unrelated to the knowledge of the Supervisory Authority referred to here for the sole purpose of complying with the provisions of the EU Regulation ";

b) failure to comply with the instructions given by the data controller, as the Rousseau Association, following the notice of 12 May last, would have put in place a further processing of the data of the members through the massive sending "of reminder emails to the elected representatives of the Movimento (email not solicited or authorized by the Movimento 5 Stelle), requesting the payment of contributions and artfully using an e-mail address attributable to the Movimento (audit@movimento5stelle.it) ";

c) likewise, the Rousseau Association would have put in place a further processing of the data of the members because, using the domain of the Movement, it would have sent the members themselves an email with which they were invited to contact the Data Protection Officer to request the transfer of their data from the 5 Star Movement Association to the Rousseau Association "which from that moment can also become an independent data controller";

GIVEN the note of 20 May 2021 with which the Rousseau Association declared that until the completion of the procedure initiated before the Authority "it will abstain - as it has so far abstained - from carrying out any activity that can be qualified as processing of the data of the interested parties with respect to which it is designated as "Data Processor, limiting itself solely to the activities concerning the treatments necessary to guarantee the essential services requested by the interested parties";

HAVING REGARD to the notes of 24 and 27 May 2021 with which the Authority invited the Rousseau Association to provide information and clarifications regarding the assertions made by the 5 Star Movement in the note of 19 May this year. regarding the processing of data of members and elected representatives (see above letters b) and c)), as well as with regard to the existence of any deed and / or document concerning the designation of the Rousseau Association as data processor, subsequent to the '' deed of appointment conferred by Giuseppe Grillo on 25 April 2016 and already in the acts of the Authority;

GIVEN the note of 27 May 2021 with which the Rousseau Association, in providing feedback to the requests made by the Authority, as well as some preliminary considerations concerning the profile of the capacity and legitimacy of Mr. Vito Crimi to act "as a person to whom would, at present, be attributed the legal representation of the Movement "(according to a pro veritate opinion drawn up by Dr. XX notary in Rome, appointed at the same time as data processor) and, consequently, as the data controller in relations with the Rousseau Association , stated that:

1) as to the alleged violation of the provisions of art. 28, par. 3, lett. g) of the Regulations, the Rousseau Association "has not refused to adhere to the owner's requests, rather setting the theme (...) of wanting to receive and adhere to instructions given by a person who actually has the ability to express the will of the owner Association some data"; furthermore, "art. 28, par. 3 indeed cited provides that "[the treatments by a manager are governed by a contract or other legal act pursuant to the law of the Union or of the Member States that binds the data controller to the data controller and stipulates the matter governed and the duration of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects, the obligations and rights of the data controller] "and that said contract (which the Associazione Movimento 5 Stelle has not product) may provide, inter alia, as provided therein sub lett. g); consequently, art. 28, par. 3, lett. g) does not establish a principle directly applicable if not transfused into a contract or other legal act under the law of the Union or of the Member States ";

2) in relation to the alleged massive sending of e-mails to the elected representatives for the payment of contributions, in addition to "not being true" that the e-mail address audit@movimento5stelle.it is attributable to the Movement, according to the statutory rules (which refer to a specific regulation) the Rousseau Association has the right to receive a contribution from the elected representatives (national and European parliamentarians and regional councilors) "for which it provides a series of services, rendered through the use of different platforms functional for the purpose, including the so-called "Tirendiconto" platform "; it follows that "the communication sent on May 12, 2021, does not constitute data processing activities carried out as data processing manager of the Movimento 5 Stelle, but as an independent owner within the" Tirendiconto "service that the Association Rousseau distributes to individual parliamentarians and / or regional councilors of the 5 Star Movement "; in fact, it "is by no means unique, since it is a periodic email that is sent every month as part of the relationship between the owner of the Rousseau Association and the interested parties (...); it is also specified that the domain https://www.movimento5stelle.it/ (and therefore the related email domain connected) is owned by the Rousseau Association and not by the Movement (...) ";

3) as for the sending of emails with which members would be invited to contact the DPO asking for the transfer of data to the Rousseau Association, the latter stated that "no email was sent of the same content as the one referred to in the request for clarification ";

4) with reference, finally, to the possible existence of a contract or other document governing the relationship between the owner and manager, the Rousseau Association has declared that, only following any feedback that will eventually be provided by the owner of the treatment, "a complete reply is reserved";

CONSIDERING that, unless the fact constitutes a more serious crime, whoever, in a proceeding before the Guarantor, falsely declares or certifies news or circumstances or produces false acts or documents, is liable pursuant to art. 168 of the Code "Falsehood in declarations to the Guarantor and interruption of the execution of the tasks or the exercise of the powers of the Guarantor";

CONSIDERING that, at the state of the documentation, also acquired by the Authority during a previous investigation involving the same subjects, the Movimento 5 Stelle and the Rousseau Association are respectively the owner and manager of the processing of personal data of the members of the Movement (as per the designation deed by Giuseppe Grillo on 25.4.2016);

NOTING that on the occasion of the access request made by Mr. Vito Crimi pursuant to law no. 241/1990 to the documentation relating to the file concerning the violation of the information systems of the so-called Rousseau platform, the Authority deemed it necessary to allow the same access instantly, even as a senior member of the Guarantee Committee pursuant to art. 7, lett. d) of the Statute of the 5 Star Movement Association;

NOTING that, in the light of the declarations made during this proceeding, the Rousseau Association has confirmed that it holds the role of data controller and that it holds the personal data of the members of the Movimento 5 Stelle as data processor and, in party, also as independent data controller;

NOTING, also, of the declarations made by the Rousseau Association in response to the request for clarification formulated by the Authority, both in relation to the processing of the data of members and elected representatives that would have been put in place in violation of the instructions given by the data controller through the relative domains; noted in particular that, in the light of what has been declared, there are no profiles of illegality of the treatments themselves;

NOTING that according to art. 28, par. 3, lett. g) of the Regulations, the data controller, "at the choice of the data controller", is required to cancel or return all personal data "after the provision of the services relating to the treatment has been completed" and to provide for the cancellation of existing copies " unless the law of the Union or of the Member States provides for the retention of data "; considering that the aforementioned provision must be applied even where the regulatory act of the owner / manager relationship does not expressly provide for it or, as in the case in question, is previous on the date of entry into force of the Regulations (as per the deed of designation of the Rousseau Association as data controller of 25 April 2016); this in order to protect - when a conflictual relationship between the parties arises - the interests of the owner of the treatment and, in particular, of the interested parties who over the years have given their data to the Movimento 5 Stell and on the basis of the information provided by the same;

CONSIDERING that, since it is an undisputed circumstance that the Movement is the data controller, it is therefore undisputed that, in this capacity, it has the right to dispose of the personal data of the members to use them, limited to the pursuit of its purposes. Such data, therefore, can be used for the pursuit of the only institutional purposes of the Movement for which such data have been conferred to it;

CONSIDERING therefore that, with reference to the request for the delivery of personal data of members of the Movement, the conditions are met for a corrective action by the Authority pursuant to art. 58. par. 2, lett. d) of the Regulations; therefore deemed it necessary to order the Rousseau Association to provide, as data processor, to implement the provisions of art. 28, par. 3, lett. g) by delivery to the 5 Star Movement, in the forms and in the manner indicated by the owner himself, of all personal data of the members of the Movement, for which the Association is responsible, within 5 (five) days of receipt of this provision; this without prejudice to the further processing of personal data of those members with respect to whom the Rousseau Association is at the same time independent data controller. Pending delivery to the Movement of the data in question, Associazione Rousseau must refrain from any further processing of the data, except for explicit, specific requests of the Movement;

CONSIDERING The need to adopt an urgent measure regarding the processing of the data in question and that these reasons do not currently allow the Board of the Guarantor to be convened in good time;

CONSIDERING that the conditions for the application of art. 5, paragraph 8, of Regulation no. 1/2000 on the organization and functioning of the Guarantor's office, in the part in which it is foreseen that "In cases of particular urgency and non-postponement that do not allow the convocation of the Guarantor in good time, the president can adopt the measures of competence of the body, which cease to be effective from the moment of their adoption if they are not ratified by the Guarantor at the first meeting, to be convened no later than the thirtieth day "(in www.gpdp.it, web doc. n. 1098801) ;

Having seen the documentation in deeds;

WHEREAS, THE GUARANTOR:

a) pursuant to art. 58, par. 2, lett. d) of the Regulations orders the Rousseau Association, responsible for processing the data of the 5 Star Movement members, to comply with the provisions of art. 28, par. 3, lett. g) of the Regulations by providing to the aforementioned Data Controller Movement, in the forms and in the manner indicated by the same, all personal data of the members of the same Movement, of which the Association is responsible for the processing; it is also ordered to refrain from any further processing of the personal data in question under the terms set out in the motivation;

b) the aforementioned delivery must take place within 5 (five) days from the date of receipt of this provision.

Pursuant to art. 78 of the Regulations, as well as articles 152 of the Code and 10 of Legislative Decree n. 150/2011, an opposition to the ordinary judicial authority may be proposed against this provision, with an appeal filed with the ordinary court of the place identified in the same art. 10, within thirty days from the date of communication of the provision itself, or sixty days if the applicant resides abroad.

Rome, 1 June 2021

PRESIDENT
Stanzione